--- x/net/bluetooth/sco.c
+++ y/net/bluetooth/sco.c
@@ -155,6 +155,7 @@ static struct sco_conn *sco_conn_add(str
  * Must be called on the locked socket. */
 static void sco_chan_del(struct sock *sk, int err)
 {
+	struct hci_conn *hcon;
 	struct sco_conn *conn;
 
 	conn = sco_pi(sk)->conn;
@@ -165,10 +166,12 @@ static void sco_chan_del(struct sock *sk
 		sco_conn_lock(conn);
 		conn->sk = NULL;
 		sco_pi(sk)->conn = NULL;
+		hcon = conn->hcon;
+		conn->hcon = NULL;
 		sco_conn_unlock(conn);
 
-		if (conn->hcon)
-			hci_conn_drop(conn->hcon);
+		if (hcon)
+			hci_conn_drop(hcon);
 	}
 
 	sk->sk_state = BT_CLOSED;